M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on July 27, 2022.

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), which describes OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks.

OSFI views the large increase of cyber incidents in Canada as an urgent call for FRFIs to bolster their technology and cyber risk management practices. Guideline B-13 is OSFI’s answer to this call and provides a flexible, principle-based regulatory framework for FRFIs to strengthen their cybersecurity posture with strategies that account for their size, nature, scope, and complexity.

Guideline B-13 is the final result of an extensive consultation process that started in September 2020 and included an initial draft Guideline B-13 in November 2021, as previously reported by the E-TIPS® Newsletter here and here. The final Guideline B-13 takes a more streamlined approach than the previous iteration and is organized around three “domains” as opposed to the first draft’s five-domain structure. Each domain sets out specific outcomes for FRFIs to achieve in order to align with OSFI’s expectations:

1. Governance and Risk Management: Technology and cyber risks should be governed by clear accountabilities and structures, and comprehensive strategies and framework.
2. Technology Operations and Resilience: The FRFI has a technology environment that is stable, scalable, and resilient. The environment should remain current and supported by technology operating and recovery processes that are “robust and sustainable”.
3. Cyber Security: Guideline B-13 requires the FRFI to implement a technology posture that maintains the confidentiality, integrity, and availability of its technology assets.

Guideline B-13 is set to come into effect on January 1, 2024, which gives FRFIs time to review the framework and ensure that they meet compliance.